Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 8180:01dc595de244 quic
Cleanup.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 28 Feb 2020 13:09:52 +0300 |
parents | 7ee1ada04c8a |
children | 3cb4f16426a5 |
comparison
equal
deleted
inserted
replaced
8179:7ee1ada04c8a | 8180:01dc595de244 |
---|---|
676 | 676 |
677 c = rev->data; | 677 c = rev->data; |
678 hc = c->data; | 678 hc = c->data; |
679 b = c->buffer; | 679 b = c->buffer; |
680 | 680 |
681 qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t)); | |
682 if (qc == NULL) { | |
683 ngx_http_close_connection(c); | |
684 return; | |
685 } | |
686 | |
687 c->quic = qc; | |
688 | |
689 printf("buffer %p %p:%p:%p:%p \n", b, b->start, b->pos, b->last, b->end); | |
690 | |
691 if ((b->pos[0] & 0xf0) != 0xc0) { | 681 if ((b->pos[0] & 0xf0) != 0xc0) { |
692 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid initial packet"); | 682 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "invalid initial packet"); |
693 ngx_http_close_connection(c); | 683 ngx_http_close_connection(c); |
694 return; | 684 return; |
695 } | 685 } |
710 if (version != 0xff000018) { | 700 if (version != 0xff000018) { |
711 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unsupported quic version"); | 701 ngx_log_error(NGX_LOG_INFO, rev->log, 0, "unsupported quic version"); |
712 ngx_http_close_connection(c); | 702 ngx_http_close_connection(c); |
713 return; | 703 return; |
714 } | 704 } |
705 | |
706 qc = ngx_pcalloc(c->pool, sizeof(ngx_quic_connection_t)); | |
707 if (qc == NULL) { | |
708 ngx_http_close_connection(c); | |
709 return; | |
710 } | |
711 | |
712 c->quic = qc; | |
715 | 713 |
716 qc->dcid.len = *b->pos++; | 714 qc->dcid.len = *b->pos++; |
717 qc->dcid.data = ngx_pnalloc(c->pool, qc->dcid.len); | 715 qc->dcid.data = ngx_pnalloc(c->pool, qc->dcid.len); |
718 if (qc->dcid.data == NULL) { | 716 if (qc->dcid.data == NULL) { |
719 ngx_http_close_connection(c); | 717 ngx_http_close_connection(c); |
785 | 783 |
786 size_t is_len; | 784 size_t is_len; |
787 uint8_t is[SHA256_DIGEST_LENGTH]; | 785 uint8_t is[SHA256_DIGEST_LENGTH]; |
788 ngx_uint_t i; | 786 ngx_uint_t i; |
789 const EVP_MD *digest; | 787 const EVP_MD *digest; |
790 const ngx_aead_cipher_t *cipher; | 788 const EVP_CIPHER *cipher; |
791 static const uint8_t salt[20] = | 789 static const uint8_t salt[20] = |
792 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" | 790 "\xc3\xee\xf7\x12\xc7\x2e\xbb\x5a\x11\xa7" |
793 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; | 791 "\xd2\x43\x2b\xb4\x63\x65\xbe\xf9\xf5\x02"; |
794 | 792 |
795 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ | 793 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.3 */ |
796 | 794 |
797 cipher = NGX_QUIC_INITIAL_CIPHER; | 795 cipher = EVP_aes_128_gcm(); |
798 digest = EVP_sha256(); | 796 digest = EVP_sha256(); |
799 | 797 |
800 if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, | 798 if (ngx_hkdf_extract(is, &is_len, digest, qc->dcid.data, qc->dcid.len, |
801 salt, sizeof(salt)) | 799 salt, sizeof(salt)) |
802 != NGX_OK) | 800 != NGX_OK) |
824 | 822 |
825 /* draft-ietf-quic-tls-23#section-5.2 */ | 823 /* draft-ietf-quic-tls-23#section-5.2 */ |
826 qc->client_in.secret.len = SHA256_DIGEST_LENGTH; | 824 qc->client_in.secret.len = SHA256_DIGEST_LENGTH; |
827 qc->server_in.secret.len = SHA256_DIGEST_LENGTH; | 825 qc->server_in.secret.len = SHA256_DIGEST_LENGTH; |
828 | 826 |
829 #ifdef OPENSSL_IS_BORINGSSL | |
830 qc->client_in.key.len = EVP_AEAD_key_length(cipher); | |
831 qc->server_in.key.len = EVP_AEAD_key_length(cipher); | |
832 | |
833 qc->client_in.hp.len = EVP_AEAD_key_length(cipher); | |
834 qc->server_in.hp.len = EVP_AEAD_key_length(cipher); | |
835 | |
836 qc->client_in.iv.len = EVP_AEAD_nonce_length(cipher); | |
837 qc->server_in.iv.len = EVP_AEAD_nonce_length(cipher); | |
838 #else | |
839 qc->client_in.key.len = EVP_CIPHER_key_length(cipher); | 827 qc->client_in.key.len = EVP_CIPHER_key_length(cipher); |
840 qc->server_in.key.len = EVP_CIPHER_key_length(cipher); | 828 qc->server_in.key.len = EVP_CIPHER_key_length(cipher); |
841 | 829 |
842 qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); | 830 qc->client_in.hp.len = EVP_CIPHER_key_length(cipher); |
843 qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); | 831 qc->server_in.hp.len = EVP_CIPHER_key_length(cipher); |
844 | 832 |
845 qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); | 833 qc->client_in.iv.len = EVP_CIPHER_iv_length(cipher); |
846 qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); | 834 qc->server_in.iv.len = EVP_CIPHER_iv_length(cipher); |
847 #endif | |
848 | |
849 #ifdef OPENSSL_IS_BORINGSSL | |
850 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, | |
851 "quic EVP key:%d tag:%d nonce:%d", | |
852 EVP_AEAD_key_length(cipher), | |
853 EVP_AEAD_max_tag_len(cipher), | |
854 EVP_AEAD_nonce_length(cipher)); | |
855 #endif | |
856 | 835 |
857 struct { | 836 struct { |
858 ngx_str_t id; | 837 ngx_str_t label; |
859 ngx_str_t *in; | 838 ngx_str_t *key; |
860 ngx_str_t *prk; | 839 ngx_str_t *prk; |
861 } seq[] = { | 840 } seq[] = { |
862 | 841 |
863 /* draft-ietf-quic-tls-23#section-5.2 */ | 842 /* draft-ietf-quic-tls-23#section-5.2 */ |
864 { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, | 843 { ngx_string("tls13 client in"), &qc->client_in.secret, &iss }, |
892 }, | 871 }, |
893 { | 872 { |
894 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ | 873 /* AEAD_AES_128_GCM prior to handshake, quic-tls-23#section-5.4.1 */ |
895 ngx_string("tls13 quic hp"), | 874 ngx_string("tls13 quic hp"), |
896 &qc->server_in.hp, | 875 &qc->server_in.hp, |
897 &qc->server_in.secret | 876 &qc->server_in.secret, |
898 }, | 877 }, |
899 | 878 |
900 }; | 879 }; |
901 | 880 |
902 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { | 881 for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) { |
903 | 882 |
904 if (ngx_quic_hkdf_expand(c, digest, seq[i].in, seq[i].prk, &seq[i].id, 0) | 883 if (ngx_quic_hkdf_expand(c, digest, seq[i].key, &seq[i].label, |
884 seq[i].prk->data, seq[i].prk->len) | |
905 != NGX_OK) | 885 != NGX_OK) |
906 { | 886 { |
907 ngx_http_close_connection(c); | 887 ngx_http_close_connection(c); |
908 return; | 888 return; |
909 } | 889 } |
971 } | 951 } |
972 #endif | 952 #endif |
973 | 953 |
974 ngx_str_t out; | 954 ngx_str_t out; |
975 | 955 |
976 if (ngx_quic_tls_open(c, cipher, &qc->client_in, &out, nonce, &in, &ad) | 956 if (ngx_quic_tls_open(c, EVP_aes_128_gcm(), &qc->client_in, &out, nonce, |
957 &in, &ad) | |
977 != NGX_OK) | 958 != NGX_OK) |
978 { | 959 { |
979 ngx_http_close_connection(c); | 960 ngx_http_close_connection(c); |
980 return; | 961 return; |
981 } | 962 } |
1088 static void | 1069 static void |
1089 ngx_http_quic_handshake_handler(ngx_event_t *rev) | 1070 ngx_http_quic_handshake_handler(ngx_event_t *rev) |
1090 { | 1071 { |
1091 size_t m; | 1072 size_t m; |
1092 ssize_t n; | 1073 ssize_t n; |
1074 ngx_str_t out; | |
1093 ngx_connection_t *c; | 1075 ngx_connection_t *c; |
1076 const EVP_CIPHER *cipher; | |
1094 ngx_quic_connection_t *qc; | 1077 ngx_quic_connection_t *qc; |
1095 u_char buf[4096], b[512], *p; | 1078 u_char buf[4096], b[512], *p; |
1096 | 1079 |
1097 c = rev->data; | 1080 c = rev->data; |
1098 qc = c->quic; | 1081 qc = c->quic; |
1247 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, | 1230 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, rev->log, 0, |
1248 "quic ad: %*s, len: %uz", m, buf, ad.len); | 1231 "quic ad: %*s, len: %uz", m, buf, ad.len); |
1249 } | 1232 } |
1250 #endif | 1233 #endif |
1251 | 1234 |
1252 const ngx_aead_cipher_t *cipher; | |
1253 | |
1254 u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection); | 1235 u_char *name = (u_char *) SSL_get_cipher(c->ssl->connection); |
1255 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, | 1236 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, |
1256 "quic ssl cipher: %s", name); | 1237 "quic ssl cipher: %s", name); |
1257 | 1238 |
1258 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 | 1239 if (ngx_strcasecmp(name, (u_char *) "TLS_AES_128_GCM_SHA256") == 0 |
1259 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) | 1240 || ngx_strcasecmp(name, (u_char *) "(NONE)") == 0) |
1260 { | 1241 { |
1261 #ifdef OPENSSL_IS_BORINGSSL | |
1262 cipher = EVP_aead_aes_128_gcm(); | |
1263 #else | |
1264 cipher = EVP_aes_128_gcm(); | 1242 cipher = EVP_aes_128_gcm(); |
1265 #endif | |
1266 | 1243 |
1267 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { | 1244 } else if (ngx_strcasecmp(name, (u_char *) "TLS_AES_256_GCM_SHA384") == 0) { |
1268 #ifdef OPENSSL_IS_BORINGSSL | |
1269 cipher = EVP_aead_aes_256_gcm(); | |
1270 #else | |
1271 cipher = EVP_aes_256_gcm(); | 1245 cipher = EVP_aes_256_gcm(); |
1272 #endif | |
1273 | 1246 |
1274 } else { | 1247 } else { |
1275 ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "unexpected cipher"); | 1248 ngx_ssl_error(NGX_LOG_INFO, rev->log, 0, "unexpected cipher"); |
1276 ngx_http_close_connection(c); | 1249 ngx_http_close_connection(c); |
1277 return; | 1250 return; |
1278 } | 1251 } |
1279 | |
1280 ngx_str_t out; | |
1281 | 1252 |
1282 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) | 1253 if (ngx_quic_tls_open(c, cipher, &qc->client_hs, &out, nonce, &in, &ad) |
1283 != NGX_OK) | 1254 != NGX_OK) |
1284 { | 1255 { |
1285 ngx_http_close_connection(c); | 1256 ngx_http_close_connection(c); |